Web3 Survival Guide 01 | Private Keys/Seed Phrases and Wallet Passwords – What’s the Difference?

I often help newcomers to Web3 with their questions, and I've encountered a wide variety of issues.

For example, some people ask, "If I delete my wallet or forget my password, can I get it back?" Others take screenshots of their seed phrase and save them in their photo album, thinking it's safe as long as they don't share it. And there are those who can't quite grasp the difference between an exchange account and a wallet they've downloaded themselves.

These questions might seem basic, but in reality, even people who have been using wallets for years may not fully understand them.

So, I'm starting a new series called the "Web3 Survival Guide." I'll try to avoid jargon and focus on those seemingly small but truly important issues, helping everyone understand and use Web3 step by step.

This article is the first in the "Web3 Survival Guide." Let's start with the most important thing: What exactly is the difference between a private key, a seed phrase, and a wallet password?

1. First, Remember This: There Are No Coins in Your Wallet

Many people think their BTC, USDT, ETH, or other tokens are "stored in their wallet."

Strictly speaking, however, your assets are not inside the wallet app. They are recorded on the blockchain. In other words, the wallet you use—whether it's MetaMask, OKX, SafePal, TP, or imToken—is more like a set of tools to help you keep your keys, not a vault for storing assets:

• The blockchain is responsible for recording how many assets a particular address holds, where those assets came from, and where they were sent.
• The wallet is responsible for helping you keep the "keys" to that address and facilitating the transfer of assets to and from that address.

For example, when you transfer tokens, swap tokens, or authorize a dApp, the wallet uses the private key stored within it to sign the transaction. This proves to the blockchain that the person controlling the address indeed agreed to perform that operation.

So, the wallet app isn't a vault for coins; it's more like a box for keys. The truly valuable thing is the key (private key) inside, not the box itself.

This also explains two things that many people find hard to understand:

• Even if the original wallet app shuts down, is delisted, or you accidentally delete it, as long as you have backed up the correct private key, you can download another wallet, re-import the private key, and recover everything. This is because the industry uses the same technical standards, so the import logic of different wallets is interoperable. It's like putting the same key in a different box—the lock will still open.
• If someone else gets hold of your private key, even if your phone is still in your hand and the wallet app isn't deleted, they can still transfer your assets. This is because they can import that key into their own wallet, and the blockchain only recognizes the key, not who holds it.

2. What Exactly is the Difference Between a Private Key, Seed Phrase, and Wallet Password?

Since the private key is so important, what exactly is a seed phrase?

In fact, the seed phrase was created mainly to make it easier for ordinary people to back up their wallets. A private key is a string of characters randomly generated by the system. It's long and messy, making it easy to make mistakes when copying manually, and almost impossible for an ordinary person to memorize directly.

So, the industry adopted a universal standard to "convert" private keys into seed phrases consisting of 12 or 24 English words.

This means the private key and the seed phrase are essentially the same key, just in a different format. To elaborate a bit: theoretically, one seed phrase can generate multiple private keys. For easy understanding, think of a private key as a specific key, while a seed phrase is more like a master backup of a keychain (In my article Starting from "Heart of a Hunter": The 2048 Words Determining Trillions in Crypto Assets, I also discussed why seed phrases are usually generated from a fixed word list and the basic logic behind it. Interested friends can take another look).

Now, when creating a wallet, most mainstream wallets ask users to back up their seed phrase. It's rare for ordinary users to be asked to copy down a long string of private key characters.

However, whether it's a private key or a seed phrase, you must not tell anyone. Under normal circumstances, no customer service representative, project party, or exchange staff will ask you to send them your private key/seed phrase. Anyone who asks you to provide your private key for reasons like "wallet verification," "risk control removal," "claiming an airdrop," or "helping recover assets" can basically be treated as a scammer.

So, what is a wallet password?

A wallet password, such as the PIN or unlock password you set when opening the app, is only used to unlock the app itself. It's similar to your phone's screen lock and has absolutely nothing to do with the private key or seed phrase.

Here's a simple principle to remember:

• Forgetting your wallet password is not a problem. You can re-import the private key/seed phrase and set a new password.
• If you lose your seed phrase but can still open the original wallet, you still have a chance to back it up again or transfer your assets.
• If you lose your seed phrase and cannot open the original wallet, it might truly be unrecoverable.
• If your seed phrase is leaked, you should immediately transfer your assets to a completely new wallet.

3. Why Don't Exchange Accounts Have a Seed Phrase?

Many people's first contact with cryptocurrencies is through exchanges like Binance, OKX, or Bitget. This often leads to a question: "I also have BTC, ETH, USDT, and USDC on the exchange, so why don't you give me a seed phrase?"

This is because assets held on a centralized exchange are usually not under your direct control via a private key/seed phrase; they are managed by the exchange on your behalf.

When we log into an exchange, we typically use our phone number/email plus a login password, along with a secondary verification tool like SMS code or Google Authenticator. The balance you see in your account is mainly a record kept by the exchange in its internal system, not an independent on-chain address completely under your control.

The advantage of this method is its simplicity. Even if you forget your password, you can contact customer service, complete facial recognition or identity verification, and recover your account. The corresponding cost, however, is that you need to trust the exchange to securely safeguard your assets and handle everyone's deposits and withdrawals properly.

With a wallet, it's different. You hold the private key yourself, so the control over your assets is mainly in your hands. You can usually transfer funds whenever and to whomever you want without going through an exchange review. However, you also take on the responsibility of safekeeping your seed phrase, identifying phishing websites, and avoiding operational errors.

Therefore, I always tell everyone that trading platforms and personal wallets are not inherently about which is safer, but rather represent two different ways of distributing responsibility. Using a trading platform means entrusting some of the security and custody responsibilities to the platform. Using a wallet means taking both the control and the corresponding responsibility for your assets back into your own hands.

Choosing which one depends on your asset size, usage frequency, and personal risk management capabilities.

However, there's one more thing that can be confusing today. Mainstream trading platforms typically offer both a "trading platform account" and a "Web3 wallet." For example, within the same Binance or OKX app, you can log into your trading account and also create a self-custodial wallet that requires backing up a seed phrase.

Although the entry points are together, they are not the same account, and the way assets are controlled is completely different. The distinguishing factor is simple: if the wallet asks you to independently back up the seed phrase and explicitly states that the platform cannot recover it for you, then it is a self-custodial wallet.

4. The Difference Between Hot Wallets and Cold Wallets Also Lies in the Private Key

Once you understand private keys/seed phrases, distinguishing between hot and cold wallets is easy:

• Hot Wallet: The private key is stored on a device connected to the internet (phone or computer). Signing is done on that device. Wallet apps provided by brands like MetaMask, OKX, SafePal, and TP are typically hot wallets.
• Cold Wallet: The hardware wallets we often hear about are a common implementation of cold wallets. The private key is generated and stored in a dedicated offline hardware device. The private key never leaves the device during signing. Examples include hardware devices from Ledger, Trezor, and OneKey.

Of course, most projects that make hardware wallets also have their own compatible software apps, like SafePal and OneKey.

It's important to note that a cold wallet doesn't mean the entire setup never touches the internet. More accurately, it means the private key itself never leaves the hardware device and is never directly exposed to the internet-connected phone or computer. The actual process is roughly:

• The phone or computer generates a transaction waiting to be signed.
• The hardware wallet signs it within its secure chip.
• The hardware wallet sends the signed result back to the phone or computer.
• The phone or computer broadcasts the transaction to the blockchain.

Throughout this process, the private key always remains inside the secure chip of the hardware device.

But a cold wallet, or hardware wallet, is not absolutely secure. If you take a picture of your hardware wallet's seed phrase and upload it, or enter it into a phishing website, or mistakenly authorize a malicious contract, the security of the hardware device itself becomes meaningless.

In the end, a hardware wallet protects the storage and signing environment of your private key, but it cannot protect against users actively leaking their seed phrase.

We'll discuss the specific choice between hot wallets and cold/hardware wallets in more detail in the next article.

5. Really, Can't I Save My Seed Phrase in the Cloud?

Some friends also repeatedly ask me: "Can't I just save my seed phrase in my phone's memo and not share it with anyone?" "Is it safe to store it in Alipay's 'Steel Box' or an encrypted cloud drive?"

Objectively speaking, security issues are rarely as simple as "it will definitely be stolen" or "it will definitely not be." It's about different storage methods corresponding to different risk probabilities.

The biggest risk of storing your seed phrase in a regular memo, WeChat favorites, chat history, email, or photo album is that your phone could be infected with malware or remotely controlled. Your cloud account could be hacked, or your photos and memos might sync automatically. Some apps might read your clipboard or local content. Even when you sell or repair your old phone, the data might not be completely erased.

Of course, tools with independent passwords and encryption features are potentially safer than a regular photo album or memo. However, you still need to trust the corresponding app on your phone, your cloud account, and the strength of your password. A breach in any one of these links could lead to a leak.

So, for larger amounts of assets intended for long-term holding, it is still recommended to write your seed phrase on paper or record it on a dedicated metal seed phrase backup plate (most major hardware wallet providers also offer similar steel seed phrase plates, which we'll cover in the next article). Store these copies in two relatively safe and separate locations.

Of course, offline storage has its own risks, such as paper damage, loss during a move, fire, or flooding. Therefore, a truly reasonable security plan involves multiple backups.

We'll discuss the techniques for safeguarding crypto assets, the specific use cases and choices for hot/cold (hardware) wallets, in more detail in the next article.